Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Intel Expands Bug Bounty Program Post-Spectre and Meltdown

Intel will pay up to $250,000 to researchers who identify bugs more severe than 9.0 on the CVSS scale.

In the wake of the Spectre and Meltdown bugs, Intel has rolled out a significant expansion of its bug bounty program.

Intel first launched the program in March 2017. The big changes include a shift from an invitation-only format to one that is open to all security researchers. One key addition is a program for side-channel vulnerabilities, which are associated with the Spectre and Meltdown vulnerabilities.

Spectre impacts a wide range of CPUs from Intel, AMD and other makers, while Meltdown affects Intel processors. Meltdown breaks the security boundaries between a device’s operating system and applications, allowing an attacker to read information in the latter. Spectre inhibits the memory isolation between applications, and is considered by researchers to be more difficult to exploit.

Intel’s new program for side-channel vulnerabilities is valid through Dec. 31. Reports on side-channel bugs rated between 9.0 and 10.0 on the (CVSS) Common Vulnerability Scoring System scale will pay out up to $250,000. Vulnerabilities rated between 7.0 and 8.9 will carry a bounty of as much as $100,000. Below the 7.0 threshold, awards max out at $20,000.

“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge,” said Rick Echevarria, VP and GM of platform security, in a blog post.

Since Spectre and Meltdown were disclosed last month, it has struggled to issue effective patches for the vulnerabilities. In one case, it asked customers to stop applying patches because the fixes caused excessive system reboot and other problems.

To that end, the scope of Intel’s proposed awards in the bug bounty program may underscore how serious the company believes the vulnerabilities are.

As context, Google only recently introduced a bug bounty program for the Play store, initially offering $1,000 per RCE vulnerability and raising that potential reward to up to $5,000 earlier this month.

Intel is partnering with HackerOne on its bug bounty program. In June, HackerOne said the average bounty payout in 2016 was $1,923, a rise of 16 percent over the previous year.

Discussion

Intel has a big problem on its hands. It goes back a long time and the Spectre Meltdown threat seems to be fragmenting into new weaknesses that may bypass current patches. Really the only fix is to turn off the flawed part of the chip. leaving users with slower machines, but in reality we are slowly going down that road anyway. Of course the real fix will be new chips designed to mitigate the threat with design change. Tough to say if Intel knew this would eventually happen. But it has and I am glad Intel is trying to compensate properly for bug bounties and open it up to all. Let's hope it helps, but it could also bring with it more problems.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.